PKI primer: the technology and the promise

Some security experts tout Public Key Infrastructure as the key enabling technology for E-commerce, the security safety net that will enable the buying and selling of goods online with the assurance that each party is who they say they are, that transactions will be completed as expected and that goods and services will be paid for.

Some security experts tout Public Key Infrastructure as the key enabling technology for E-commerce, the security safety net that will enable the buying and selling of goods online with the assurance that each party is who they say they are, that transactions will be completed as expected and that goods and services will be paid for.

Others say such expectations are overblown, that no security technology can be considered airtight and foolproof, at least not for long.

"Some people look at PKI as something that can't be contested, that's more foolproof than a written signature," says Patrick McBride, executive vice president of METASeS, a security consultancy in Atlanta. "That's bunk. People can and will steal keys."

The "keys" McBride refers to are actually software codes used to encrypt and decrypt data and to digitally "sign" documents. In essence, the key unlocks a user's digital identity.

Even if PKI isn't perfect - and nobody is claiming it is - it does appear to be the best bet for providing a strong layer of security around E-commerce transactions. Datamonitor, a research firm based in London, expects PKI vendors will show steady growth in coming years, generating $1.4 billion in 2003.

PKI consists of several components that typically reside on a user's client system or on a host server system, such as a Web site.

One of the key PKI components is a digital certficate, which identifies a person or a computer. Depending on the application for which it's intended, the certificate may identify the user by name and address, or it could have a raft of information, such as the user's various rights and privileges. For example, a bank may divide its customers by account size, allowing larger customers to access more areas on its Web site. Alternatively, this sort of authorization data can be stored in a centralized corporate directory rather than on the digital certificate, a strategy that some experts argue makes the data easier to update.

PKI also makes use of public and private keys that enable users to encrypt and to digitally "sign" messages or documents. When such an electronic signature is applied, it can be proven mathematically that the signed data wasn't tampered with en route to the recipient. This is an important element of PKI that provides for non-repudiation, which essentially is the ability to prove that a certain person initiated or completed a specific transaction.

In practice, PKI requires a rather elaborate system be established to distribute and manage certificates. Certificates are issued by a certificate authority (CA), which is a party that is trusted to appropriately manage certificates. A company could be its own CA, issuing and managing certificates on behalf of its employees. Alternatively, a number of public CAs are cropping up, such as Identrus in the financial industry.

Identrus was created by a number of large banks and is building a "hiearchy of trust" in the financial world. Identrus acts as the root of the hierarchy and authorizes other member banks to act as CAs on its behalf. Those CAs, in turn, become responsible for distributing certificates to companies and individuals they deem fiscally fit to participate in the system, using the same sort of criteria a bank applies before it agrees to issue a loan.

Similar trust hierarchies are cropping up in other vertical industries, and companies including VeriSign, Inc. also offer more general PKI services with varying levels of trust.

When it's all working correctly, PKI can enable secure online transactions between parties who don't know each other. If each party in the transaction has a certificate from a CA that is trusted by the other party, they can complete the transaction by verifying each other's identity and exchanging whatever secure documents are required. Similarly, a company could use PKI to give customers and business partners access to relevant parts of its internal computer systems, such as product databases and other supply chain information.

Clearly there are challenges in setting up such an elaborate system, and it's already been years in the making. Among the issues is how to protect the certificates and keys used in the process. But numerous vendors are at working coming up with answers, such as storing certificates in smart cards or other forms of hardware tokens rather than on PCs.

Another idea, espoused by companies including NTRU Cryptosystems, Inc., Burlington, Mass., is to establish a more dynamic system of creating keys. NTRU's strategy is to use keys that can be disposed of after each transaction, or even each step in a transaction, making the problem of stolen keys all but moot.